[comp.os.vms] VMS PASSWORD CHECKER. HERE IT IS

brodie@fps.mcw.edu (11/16/89)

I love DECUS.  No where else in the world can you find "neat" hints
and tips from other users (AND from DEC :-).    I recently attended the
Anaheim Symposium, where I picked up this neat little tidbit--

SECURITY has always been a hot topic, especially for VAX systems.  One
thing that has been brought up in the past, is the need for a 
"password checker" utility, that can go through the UAF file and tell
you (the systems manager, supposedly) what people are using STUPID passwords
(prime example, password=their_username).

YOU ALL HAVE THIS UTILITY ALREADY
---------------------------------

For all of you that are on VMS version 5, think back to your upgrade
procedure.   Just before the upgrade really gets going, there is a
documented step, in which the VMSINSTAL procedure being run goes ahead
and "checks" the passwords for the systems accounts (SYSTEM,FIELD,SYSTEST, etc).
to make sure that they do not have "weak" or null passwords.

I had always thought that that was a specialized utility, that only checks
those accounts.    WRONG!

On the VMS Version 5.0 distribution tape, in the saveset VMS050.A, there
are two handy files--

VMS$SECUREPWD.COM   and
VMS$SECUREPWD.EXE

Gee, guess what these do?!

VMS$SECUREPWD.EXE is a program that takes one parameter (the username) and
"checks" the password to see if it is "VALID" or "WEAK" (easily guessable).
The program does this WITHOUT trying to log into the account, which keeps
the user from seeing that someone (the system manager) "tried" to log in
unsuccessfully.  Note that the program does NOT tell you WHICH password
it is, but suffice it to say that if a user account comes up with a "WEAK"
status, you should probably force the user to change their password.

VMS$SECUREPWD.COM is the command file that runs VMS$SECUREPWD.EXE on the
system accounts, and is set up to be run in the context of a system install
or an upgrade.   However, you can easily modify your OWN copy to do the
WHOLE uaf file, and not just one (small group of) account(s).

Here's how it works.

0. just for kicks, BACKUP your UAF file to a secure location or tape.

(make a DCL that does the following)

1. define a foreign command for vms$securepwd.exe  (let's call it "validate")
   do NOT install this image.  Rather, keep it in a PROTECTED system directory.
   You may even want to rename it to something like "XMAR11.EXE" or some
   other unobvious name...

2. use your dcl know-how to get a UAF listing, and read one username at a time
   from this list.

3. for each username, do the following

   $ validate check 'username/guess

   this assumes, of course, that the symbol "username" is defined as
   one of your valid usernames....

4. For each username, vms$securepwd.exe only takes a second or two.
   Once done, it will return a logical name (symbol), "VMS$SECURE" that has
   one of the following values

   "VALID"       password is not easily guessable
   "WEAK"        password too easy to guess (most common, pw=username)
   "DISUSER"     account is disabled
   "NONEXIST"    account does not exist


That's it, folks!    Due to the licensing/rights of VMS$SECUREPWD.COM, 
I cannot post it here.   However, you all have your OWN copies on your
distribution tapes, and you are all strictly on your own as far as
running it.

note-- get a GOOD look at VMS$SECUREPWD.COM to verify what it is doing!
You also need a somewhat privileged account to run it.

Additionally, there is one last qualifier called /EXCLUDE.   The /EXCLUDE
list is a place where you can give a list of OTHER passwords that you
do not want people using (for example, the initials of your company, the
name of your company, and other easy-to-guess passwords specific to your
site/location)

This qualifier is placed at the end of the command, and accepts a list.
e.g.,

$ validate check 'username/guess/exclude=(MEDCOL,VAXVMS,COKE,PEPSI)    

Well, that's it.   have fun.

*DISCLAIMER*:   The opinions in this article are my own, and only mine.
No guarantee is given on the above procedure, you are strictly on your
own.  Additionally, you may want to check with your local DEC customer
support rep before running this program.   I have provided this information
as a "useful tool" on a "you have it, you may want to USE it but if it
blows up, don't come crying to me" basis.

VMS$SECUREPWD.COM and VMS$SECUREPWD.EXE are both copyrights of DIGITAL
EQUIPMENT CORP and they will get extremely cranky if you give copies
of these utilities to anyone.   That's why I did not post my OWN utility--
you're gonna all have to write your own.

by the way, I ran this on our uaf of 324 user accounts.   7 of them
showed up as "weak", and 5 of those 7 had the PW=USERNAME combination.

SHEESH.
-------------------------------------------------------------------------------
Kent C. Brodie - Systems Manager		brodie@mcw.edu
Medical College of Wisconsin			+1 414 778 4500

"Gee, I hope these are the right coordinates..."  -Chief O'Brian; STTNG